Note: This is an advanced tip and only applicable to certain situations.The Remote Desktop by default uses TCP/IP port 3389, some people think that they can increase the security of the RDP protocol by changing it too different location. This is almost as effective as moving a lock on a door and hoping a thief won't be able to find it. This technique would only be effective against someone who knows absolutely nothing about TCP/IP.
If you still want to move the Remote Desktop default TCP/IP port, here is how you do it:
Warning: This tip requires modifying the registry proceed at your own risk.
- Open the Windows Registry Editor, from the Start menu in the search field type REGEDIT.EXE
- In the Windows Registry Editor navigate to the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
- Click the Edit menu and select Modify... or right-click the registry value and select Modify...
- In the properties dialog box, click Decimal, and type in the new port number that you want to use (make sure its not used by another protocol)
- Press the OK button to close the dialog.
- Close the registry editor and reboot the computer.
Simply changing the location of the remote desktop software default port does not increase the protocol security. These instructions for moving the port and modifying the the registry value are helpful for both software experts and beginners. The initial setup and installation of these services through remote connection and web browsers is essential to begin the remote access process.
ReplyDeleteThanks for the procudure.
ReplyDeleteDo not forget to open the new port in your firewall software !
McThePro,
ReplyDeleteFirewall comment was very timely. It saved the rest of the hair I was about to pull out of my head!
McThePro,
ReplyDeleteThanks for the firewall comment. I overlooked this item and was getting very frustrated until I saw your suggestion!
Hi Jason.
ReplyDeleteWhat then do you recommend to increase RDP security? Thanks.
Use the latest version of Windows, RDP is much more secure in Windows 7/Server 2008 R2 and higher (if the option is enable). Also use a strong password, uncommon user names, and change the password regularly. Just basic stuff, if you want something more secure then try setting policies such as enforce a password lockout for too many attempts.
ReplyDeleteChanging port is not only "more" secure, it's practical if you wish to have more then 1 computer connected to the same IP/router.
ReplyDeleteI believe current best practices is to not expose RDP to the Internet directly at all. Rather you should have users connect to a secure VPN into the network first and then use RDP on standard ports. This simplifies management of workstations and firewalls and is more secure.
ReplyDeleteChanging the RDP port is more secure because most attacks are brute force scripts and they are usually looking for default ports. I know because one server went from 35,000 rdp logon failures in a couple days to zero after the port change.
ReplyDeleteCould I have multiple computers on a single network each using a different port by simply port forwarding on my router?
ReplyDeleteThat's what you call security by obscurity. Not really security. It might help a tiny bit. I'm not familiar with a lot of hacker's tactics but with the port scans I see in our logs I'm certain that they can find out what ports are listening for what protocols.
ReplyDelete